Skip to main content
A
Anonymous_User
Contributor
March 7, 2008
Question

how to allow SMTP and HTTP from External to internal

  • March 7, 2008
  • 2 replies
  • 2525 views
Hi, How to allow SMTP and HTTP traffic from outside users (Internet) to internal Mail server? Fortigate 60B configuration details: WAN IP : 61.6.x.y Internal IP : 192.168.1.254 Mail server & Web Server : 192.168.1.1 Mote: SMTP and HTTP traffic reaching WAN IP to be forwarded to 192.168.1.1 Thank you very much; your immediate response is highly appreciated

    2 replies

    UkWizard
    UkWizard
    New Member
    March 7, 2008
    do you have a range of ip addresses? normally you would use another spare one be dedicated for that server. then create an Virtual IP (VIP) with the spare external address, pointing to the mail server address, do a static nat (not port-forwarding). then create an external --> internal policy with source as ' all' and dest as the VIP name you created, just dotn forget to create and apply and Protection policy to the rule as reqd. Personally would recommend moving external facing servers into a dedicated dmz network, as its more secure, cannot remember offhand whether your model has an dmz port. and there is a lot more thought and work involved in relocating servers.
    rwpatterson
    rwpatterson
    New Member
    March 7, 2008
    Welcome to the forums. If you are dedicated to a single port (as I am at home), then you must use VIP rules with port forwarding. As UK stated, create the policies allowing required services and protection profiles, and you should be good to go.
    A
    Anonymous_UserAuthor
    Contributor
    March 8, 2008
    Hi , Thanks for your message. There is no range of IP addresses. Single public IP and configured as Fortigate WAN IP Fortigate 60B configuration details: WAN IP : 61.6.x.y Internal IP : 192.168.1.254 Mail server & Web Server : 192.168.1.1 Mote: SMTP and HTTP traffic reaching WAN IP to be forwarded to 192.168.1.1 Thank you very much; your immediate response is highly appreciated
    rwpatterson
    rwpatterson
    New Member
    March 8, 2008
    When creating the VIP rule, outside IP is the wildcard, 0.0.0.0. Set the inside to the server IP, and create one for port 21 (FTP), 80 (HTTP), and any additional ones for each new incoming service. You can group these together, or create a separate policy for each, your option. If you do not choose the port forwarding option, then all traffic will be sent to the server, thereby removing your option to manage the FGT remotely.
    Terms & ConditionsAccessibility statement